Commissioning Instructions

Cybersecurity disclaimer

A6V12006922

Restricted

3 | 21

Cybersecurity disclaimer

Siemens provides a portfolio of products, solutions, systems and services that includes security functions

that support the secure operation of plants, systems, machines and networks. In the field of Building

Technologies, this includes building automation and control, fire safety, security management as well as

physical security systems.

In order to protect plants, systems, machines and networks against cyber threats, it is necessary to

implement – and continuously maintain – a holistic, state-of-the-art security concept. Siemens’ portfolio

only forms one element of such a concept.

You are responsible for preventing unauthorized access to your plants, systems, machines and networks

which should only be connected to an enterprise network or the internet if and to the extent such a

connection is necessary and only when appropriate security measures (e.g. firewalls and/or network

segmentation) are in place. Additionally, Siemens’ guidance on appropriate security measures should be

taken into account. For additional information, please contact your Siemens sales representative or visit

https://www.siemens.com/global/en/home/company/topic-areas/future-of-manufacturing/industrial-

security.html.

Siemens’ portfolio undergoes continuous development to make it more secure. Siemens strongly

recommends that updates are applied as soon as they are available and that the latest versions are used.

Use of versions that are no longer supported, and failure to apply the latest updates may increase your

exposure to cyber threats. Siemens strongly recommends to comply with security advisories on the latest

security threats, patches and other related measures, published, among others, under

https://www.siemens.com/cert/en/cert-security-advisories.htm.

Security best practices

Network setup must avoid direct connection from Internet to the end device.

- Implement Port Security to disallow the connection and network participation of any

unauthorized laptop/device to a switch.

- Unauthorized access should be prevented by physical security measures. Meaning, access

to the devices (controllers) must be limited only to people who require it. Equipment can

further be monitored via CCTV.

- When possible, physically segment control systems from non-control systems. Apply the

concept of Least Privilege to minimize the impact in case of a compromise of user

credentials.

- Ensure that complex and strong passwords are required. Furthermore, ensure that

administrator passwords are at least 12 characters long for users with administrative

privileges and at least 8 characters long for non-administrative users.

- Ensure that the same username/password credentials are unique for each site within the

country/office.

- Ensure that users each have their own individual unique login accounts. User accounts

must not be shared.

- Configure account lockout settings (Threshold, Observation Windows, Duration) to protect

the system from password guessing or brute force attacks.

- Ensure that accounts are removed within a reasonable time when users no longer work at

the site.

- Ensure that firmware is downloaded only from legitimate / known locations.